Cybersecurity Expert: Assume You're Being Attacked Right Now


When it comes to IT security, it's best to assume hackers or cybercriminals have already penetrated your network, according to cybersecurity expert Roger Cressey.

Cressey, a partner at consulting firm Liberty Group Ventures who addressed the growing issue of cybersecurity at UBM's XChange Public Sector conference this week in Washington, D.C., discussed his experience working in the federal government. Cressey served as a member of the U.S. National Security Council from 1999 to 2001, during which time he served as the director for transnational threats on the council, and also served as chief of staff of the President’s Critical Infrastructure Protection Board from 2001 to 2002.

Unfortunately, Cressey said, the U.S. is still dealing with many of the same problems he saw more than a decade ago, from data beaches to security critical infrastructures. "All of those issues are still relevant today," he said, "which means we have not done a good job of trying to address the fundamental issues that are driving cybersecurity."

[Related: Broken Security: 5 Ways To Avoid The Coming Cryptopocalypse]

Cressey told the audience he still sees many of the same bad habits of 10 years ago; too many businesses and government agencies are vulnerable to simple distributed denial-of-service (DDoS) attacks, for example, while employees are still using weak password and carelessly exposing their login credentials.

But. Cressey said that lack of progress is both a curse and a blessing; on the positive side, it gives government-focused solution providers an opportunity to bring better security solutions to their customers. "People are paying attention to cybersecurity and the threat environment in a way that is qualitatively different than what we have been discussing in the past 10-plus years," he said.

But even though more people are paying attention to cybersecurity, Cressey said, more action is needed. And in that respect, he said, solution providers and their clients should act as if their network has already been compromised.

"There's a basic assumption that has to be made now," Cressey said. "You've got to assume you're penetrated. You have to assume somebody is on your network right now, sitting there and learning and watching what you're doing."

That may seem like a severe approach, but Cressey said businesses and government agencies that do that will be better off because they can then start preparing for how to solve the issue and take the next steps to ensure network resiliency.

Overall, Cressey said solution providers can't limit cyber-security to just the technology because the threat landscape is too vast, thanks to hacktivists, cybercriminals and state-sponsored hackers, and the number of vulnerabilities are too high. "There is no one solution that is going to address all of the issues in that spectrum of potential threats," he said.

Instead, VARs need to focus on the "cyber-trinity" of people, process and technology to educate their customers on proper security policy because, Cressey said, even the best security technology ever deployed can be defeated by bad practices and human error.

"We have got to get folks to understand that there isn't one part of that triangle that is disproportionately more important than the others," Cressey said. "It has to be all three."

PUBLISHED AUG. 21, 2013